Patient’s Guide to HIPAA – Uses and Disclosures: Does HIPAA Really Restrict Use and Disclosure of My Health Records?

HIPAA Guide Quick Links:

FAQ 54: Does HIPAA Really Restrict Use and Disclosure of My Health Records?

This is a tough question to answer in a simple way. The answer depends in part on your perspective. If you thought that your health records would never be disclosed without your consent, then you won’t think much of the HIPAA use and disclosure provisions.

Another answer is that HIPAA regulates all uses and disclosures. If the rule does not allow a use or disclosure, then the only way that a covered entity can use or disclose the record is with your written authorization. If you think that sounds good, you should keep reading because the rule allows a large number of uses and disclosures without your consent. By the way, a use of information occurs when a covered entity makes a record available to someone within the organization that maintains the record. A disclosure occurs when a record is shared with someone outside the organization.

The Center for Law, Ethics, and Applied Research in Health Information at Indiana University has a map that shows the flow of information within the health care system. The system of information flows is so complex that the map is hard to understand, but that’s the point. Have a look for yourself at http://www.mappinghealth.com/iuclear/#journeyv. There another map maintained by Harvard Professor Latanya Sweeney at http://thedatamap.org/. Both of these maps are works in progress.

A third answer is that HIPAA allows many uses and disclosures to occur without any need for your approval. Typically, these are disclosures made so a covered entity can be paid for services, manage its operations, provide treatment, or comply with government reporting requirements. I most cases, these disclosures are reasonable and expected.

It is genuinely difficult to count the number of categories of permissible uses and disclosures. Much depends on how you do the counting. The number of government and private institutions that can ask for and receive health records without your permission numbers in the tens of thousands. A covered entity can make nearly all permissible uses and disclosures without your consent or authorization. Indeed, with only a few exceptions, a covered entity can make most allowable uses and disclosures even over your express written objection.

A fourth answer is that HIPAA did not really change the practice for most covered entities regarding use and disclosure in any major way. Instead, HIPAA established universal standards and procedures for covered entities. These standards and procedures were new. However, the uses and disclosures that HIPAA allows are largely those that became routine in the last half of the twentieth century. Most health care providers were not aware of how widespread the use and disclosure of health records had become. Before HIPAA, many providers thought that they only disclosed patient records with the consent of the patient, but it just wasn’t true. HIPAA made everyone pay attention to and learn about privacy, often for the first time.

All of these activities and others contributed to the demand for access to individually identifiable medical records. Most of these activities serve important public or personal purposes, and it is not always easy to dismiss the HIPAA rule’s policies as anti-privacy. Disclosure often serves another significant but competing goal. Protecting privacy is only one objective in the health care system. We don’t know how the Affordable Care Act (Obamacare) will affect the flow of health information, but we confidently predict that the flow will not diminish.

Anonymous records?

Some health activities can be and are conducted with records that do not include any identifying data about individual patients. However, use of anonymous or non-identifiable records doesn’t meet all the needs for health information for several reasons. First, some activities really do require records with identifiers. For research that tracks the course of disease over years, the only way to link records may be with the use of identifiers.

Second, too many activities that could have used non-identifiable records started at a time when few paid attention to privacy or to alternatives to the use of identifiable records. Methods that might have increased use of non-identifiable records do not always exist because nothing forced their development.

Third, it is increasingly difficult to talk about non-identifiable records. As the amount of data recorded and available throughout society increased, the domain of truly non-identifiable records diminished. It is easier and easier to identify records even though overt identifiers have been removed. To make the point, more than 85% of the population of the United States can be uniquely identified just by date of birth, gender, and five-digit zip code. All records, no matter how they may have been edited or masked, may be potentially identifiable with enough time, effort, and other data. Powerful modern computers make it easier to link records and to re-identify records that have been “de-identified.” Even snippets of DNA can sometimes be linked to identifiable individuals, and the ability to link DNA with real people will only expand over time.

Be Careful About Any or All Authorizations

Another interesting and important part of the rule tries to limit use and disclosure to the minimum amount of information necessary to accomplish the purpose of the use or disclosure. This is a fine principle, but its implementation is complex and controversial. All uses and disclosures to a health care provider for treatment purposes are exempt from the minimum necessary rule. It’s a big exception to the principle, but it is one that makes sense to us. Providers need broad access to records for treatment. Disclosures pursuant to a patient’s authorization are also exempt, which is a reason that a patient should be careful when signing any authorization for disclosure of his or her records. If you sign an authorization for the disclosure of “any or all” of your records, your entire medical history can be disclosed.

Roadmap: Patient’s Guide to HIPAA: Part 3: What You Should Know about Uses and Disclosures (FAQ 54 of 65)

To score is human. Ranking individuals by grades and other performance numbers is as old as human society. Consumer scores — numbers given to individuals to describe or predict their characteristics, habits, or predilections — are a modern day numeric shorthand that ranks, separates, sifts, and otherwise categorizes individuals and also predicts their potential future actions. This new report by Pam Dixon and Robert Gellman explores this issue of predictive scores and privacy.

This Jan. 30, 2014 report discusses a new right to restrict disclosure of health information under the updated HIPAA health privacy rule. The new provision called “Pay Out of Pocket,” also called the “Right to Restrict Disclosure” gives patients the right to request that their health care provider not report or disclose their information to their health plans when they pay for medical services in full. Navigating the new right will take effort and planning for patients to utilize effectively. This substance of this report is about the new patient right to restrict disclosure, and how patients can use it to protect health privacy.

This report focuses on government use of commercial data brokers, the implications for that usage, and what needs to be done to address privacy problems. The government must bring itself fully to heel in the area of privacy. If it is going to outsource its data needs to commercial data brokers, it needs to attach the privacy standards it would have been held to if it had collected the data itself. Outsourcing is not an excuse for evading privacy obligations. Report authors: Bob Gellman and Pam Dixon.